Support

A cookie is a piece of data stored by your browser or device that helps websites like this one recognize return visitors. We use cookies to give you the best experience on BNA.com. Some cookies are also necessary for the technical operation of our website. If you continue browsing, you agree to this site’s use of cookies.

In boardrooms across the nation, there is one risk that stands above all others: cybersecurity. As an ever-evolving threat, companies and the legal profession must also evolve to meet it. In 2010 I started advocating for Southern California businesses and law schools to recognize “cyber law” as a legal practice. There was no interest. Today, however, with cybersecurity as a top business and legal priority, I successfully helped launch Southern California’s first cybersecurity and data privacy law school concentration, and a growing number of companies are looking to hire in-house cyber counsel. But while the demand for bringing this role in-house has increased, many companies don’t understand its nuances. Here are some tips that may help.

1. Understand the Difference Between “Privacy” and “Cyber” Counsel

Many people think that “privacy” and “cybersecurity” lawyers are one-and-the-same; thus if you hire one you also get the other. In fact, though there is overlap between the two practice areas, they are distinct in the same way that litigation and regulatory law may overlap, but are different. Recognizing this distinction will help you pick the right candidate for each role.

Privacy law dictates how companies may collect, store, use, and market personal information belonging to others. Want to know whether a particular law controls your ability to collect kids’ information from a new phone app? That’s a matter for privacy law. In contrast, cybersecurity law dictates how companies must keep all sensitive information (whether personal information or not)—as well as company systems, goods, and services – safe from bad actors. Need to know whether the Computer Fraud and Abuse Act applies to an ex-employee who stole company files by convincing a remaining employee to share passwords? Ask a cyber lawyer.

Many companies may want to hire a single person to assume both the privacy and cyber counsel roles for cost and other reasons. If so, it’s important to ask prospective candidates about their knowledge of both practice areas. Since privacy is the more established of the two areas, people generally know how to gauge a candidate’s privacy skills and knowledge. The same doesn’t hold true for cybersecurity. Questions like the ones below may help you assess a candidate’s cyber-related business, legal, and technical acumen:

Technical: “Explain the Lockheed Martin Cyber Kill Chain, and how companies use it manage cyber risk.” (Cyber lawyers don’t need to be IT experts, but having basic technical knowledge helps.)

2. Understand What Cyber Counsel Do

Many people ask: “What do cyber counsel do?” The exact role will differ from company to company. However, at a high level, two common goals predominate: (1) helping set up cyber risk management/compliance programs, and (2) advising (or leading) cyber incident response teams. In other words, a good cybersecurity attorney must be both proactive and reactive.

These goals sound simple, but they represent the tip of the iceberg. On the proactive side, common tasks include partnering with company stakeholders to:

analyzing digital forensic reports and physical security investigative reports, and then summarizing that information into plain English for company leaders;

advising the company’s public relations personnel when issuing press releases and other public statements to minimize the risk of SEC violations and shareholder fraud claims;

determining whether any state or federal cyber laws/regulations apply to a particular incident; and

for publicly traded companies, advising senior leadership whether to close internal trading windows in response to a cyber incident.

These are a sampling of tasks that cyber counsel may deal with. As your company’s technology and security needs grow, so will this list.

3. Picking Cyber Counsel Requires Balancing Multiple Factors

If your company wants to hire a single person to fill both the privacy and cyber roles, consider whether your candidate possesses the following:

privacy knowledge and experience;

cybersecurity knowledge and experience;

in-house counsel experience, particularly in working with the business side to develop enterprise-wide cyber risk management/compliance programs;

an existing network of cyber practitioners (e.g., forensic investigators, law enforcement contacts, and even colleagues to “talk shop” with); and

the confidence to make snap decisions, and to persuade internal clients to stay after-hours to investigate incidents that the attorney (but not necessarily the client) believes may require immediate resolution.

The day may come when candidates possessing all of these traits exist in droves, but today is not that day. Until then, you and your company will need to prioritize your in-house counsel’s key traits based on your company’s needs. Also, consider setting a training and certification budget to provide your new hire with the knowledge, skills and networking contacts needed to fulfill both roles. (For additional information, see Robert Kang, It Takes a Village to Stop Cybercrime, ACC Docket (May 2018) pp. 78-79.) Finally, even if you and your company start with a single person to fill both privacy and cyber roles, consider creating dual positions as your company’s technology, privacy and cyber needs grow. For example, JP Morgan Chase & Co. started with privacy practitioners only, but now boasts separate privacy and cyber law teams. If your company grows, the work will be there.

Conclusion

Cybersecurity is a huge business and legal risk that grows ever bigger. For many years, companies have depended on outside counsel to meet their cyber law needs, but they now are starting to bring that talent in-house. If your company has decided to take the plunge to hire in-house cyber counsel, the foregoing information may help you find a worthwhile candidate. Good luck!

-----

Robert Kang is an adjunct professor for technology and risk management at Loyola Law School, Los Angeles, where he played a leading role in creating Southern California’s first cybersecurity and data privacy law concentration. Robert is also in-house cyber counsel for a U.S. company, and a member of the Board of Directors for the Southern California chapter of the Association of Corporate Counsel. Resources referenced in this article are provided for educational purposes only. Contact Robert via email at kangr@lls.edu

The views expressed in this article are those of the author and not necessarily those of the authors’ employers, including Loyola Law School, or Bloomberg Law.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)